What is SEO? · Beginner · 9 min read

White hat vs black hat vs grey hat SEO.

Three labels SEO people use for three risk profiles. White hat is the boring, safe, slow work. Black hat is the spammy stuff that gets your site nuked. Grey hat is the bit in the middle most agencies pretend they do not do. Here is the honest map, and the penalties that go with each tier in 2026.

Oliver Wood
By · Founder & Managing Director
Reviewed by Harrison Sharrett · · Last reviewed

What each label actually means

The colour metaphor is borrowed from old hacker culture, where white-hat hackers worked with permission and black-hat ones did not. Same idea here. The middle was always grey because life is grey.

  • White hat. SEO work that follows Google's published guidelines. The result might be slower, but it survives algorithm updates and would still rank if Google handed your URL to a human reviewer.
  • Black hat. SEO work that deliberately breaks the guidelines for a short-term ranking gain. The methods are hidden from Google. Detection is the whole game.
  • Grey hat. Tactics that technically violate the guidelines but rarely get enforced. Aggressive guest posting, link exchanges, paid links with disclosed sponsorship that gets ignored. The risk is not today's penalty; it is the next update.

Google's stance has been the same since 2003: do not deceive users or search engines, build for humans first. The penalty system has shifted, the spirit has not. If you would not be comfortable explaining the tactic to a customer in a meeting, it is probably grey or black.

For the pillar overview of how SEO actually fits together, read what is SEO. For the agency-side version of this conversation, what does an SEO actually do covers what white-hat work looks like inside a retainer.

White hat: the slow, safe playbook

White hat is not glamorous. It is also the only approach that builds a real business asset.

Examples of white-hat work

  • Earned links. Genuinely useful content that other sites choose to link to, plus polite outreach asking for context-appropriate placements (broken-link replacement, expert quotes, original research).
  • Original content. Real expertise, real first-hand examples, real Australian data. Not "researched" by AI from the top 5 ranking pages.
  • Technical fixes for human readers. Faster pages, working navigation, proper headings, clean URLs, valid schema markup.
  • Internal links that actually help readers. If a reader needs the next concept, link to it. Not stuffing 40 anchor links into a footer.
  • Genuine reviews. Asking real customers for real Google reviews. No automation, no incentivising, no template responses.
  • Real digital PR. Press releases with actual news, original studies pitched to AU journalists, podcast guesting where you have something useful to say.

The trade-off: every one of these takes longer to move the needle than the grey-hat shortcut. A white-hat link earned through digital PR costs 5 to 10 hours of work. A bought link from a private blog network costs $80 and arrives next week. The bought one ranks faster. It also disappears (often with your other rankings) the next time Google's link team runs a cleanup.

Black hat: what the spammy stuff looks like

Most Australian business owners never see black hat work directly. You see the consequences when a cheap agency does it on your behalf. Recognise the tactics so you can spot them.

Classic black-hat tactics

  • PBNs (private blog networks). A network of expired domains repurposed into fake niche blogs whose only job is to link to client sites. Google has been systematically deindexing PBNs since the 2014 crackdown but new ones still spin up.
  • Cloaking. Showing different content to Googlebot than to human visitors. Used to be common for affiliate and gambling sites. Still common in some Indian and Eastern European SEO shops.
  • Hidden text. White text on a white background, text behind images, text rendered off-screen via CSS. The point: stuff keywords without humans seeing them. Detectable by any decent crawler.
  • Doorway pages. Hundreds or thousands of nearly identical pages targeting different keywords, all funnelling to a single conversion page. Often spotted in low-quality "city + service" page farms.
  • Content spinning. Running content through AI or software to generate dozens of slightly-different versions. The 2023-2026 Helpful Content updates eat this for breakfast.
  • Bought reviews. Fake 5-star reviews on Google Business Profile, often from offshore review farms. Google has been aggressive on these since 2020, and Australian competition law adds a separate ACCC angle.
  • Sneaky redirects. A user lands on the URL they clicked, then gets bounced to a different page via JavaScript. Used by affiliates trying to launder traffic. Detected, penalised.
  • Negative SEO. Pointing spam links at a competitor in the hope Google penalises them. Rarely works in 2026 because Google's link discounting is good enough to ignore most spam, but still attempted.

If a proposal arrives in your inbox offering "1,000 backlinks for $499", "guaranteed page-one in 30 days", or "submit your site to 5,000 directories", you are looking at black hat dressed up as a bargain. The cheaper the package, the worse the underlying tactic. Real link earning costs hours of human work.

Grey hat: the bit nobody admits to

Grey hat is where most of the SEO industry actually lives, including agencies that publicly call themselves white hat. The tactics here are not penalised consistently, so the cost-benefit looks attractive until it does not.

Common grey-hat tactics

  • Guest posting at scale for the link, not the audience. A staple of every link-building agency. Google's guidelines explicitly call this out as a guidelines violation when the primary purpose is the link. Almost nobody gets penalised for moderate use. Heavy users get hit.
  • Aged-domain redirects. Buying an expired domain with existing backlinks and 301-redirecting it to your site. Sometimes works. Sometimes triggers a manual action.
  • Reciprocal link schemes. "I link to you, you link to me." Banned in the guidelines but extremely common between agencies and B2B providers.
  • Paid links with "follow" attribution. Paying for a placement on a real site and not disclosing it via rel=sponsored. Common in fintech, gambling and supplements.
  • AI content with light human editing. Drafted by an LLM, lightly polished, published in bulk. The original Helpful Content update wave killed sites doing this at scale. Lighter use survives but ranking momentum has slowed.
  • Exact-match anchor text stacking. Pointing dozens of backlinks at one page using the exact target keyword as anchor. Used to work. Penguin penalty was built specifically to stop this.
  • Schema markup for content that does not exist. Marking up reviews you never received, FAQ schema for FAQs not on the page, or ranking-tier schema for non-existent products. Google's spam policy explicitly covers this and Rich Results get removed.

The pattern with grey hat is always the same: works for a while, ranks the client, the client tells their mate, the mate hires the same agency, then an algorithm update lands and three years of rankings vanish overnight. We have walked into Perth businesses where the previous agency had pulled exactly this trick. Recovery is possible but it is months of careful cleanup work.

Google penalties in 2026, ranked

Google has two distinct penalty systems. Both can wipe a business.

Algorithmic suppression (the silent one)

The algorithm decides your site looks low-quality and pushes it down or out of the index. No notification. No manual action message in Search Console. You just notice traffic and rankings tanking. Recovery is at the next update cycle, which can be months away.

The Helpful Content system from 2022 onwards is the heaviest of these. It looks for sites that appear written for search engines rather than users: thin content, scaled AI output, doorway pages, off-topic pages. A single trigger can suppress the entire domain.

Manual actions (the explicit one)

A human reviewer at Google looks at your site, decides you violated the spam policies, and applies a manual action. You get a notification in Search Console explaining which policy you breached. Your rankings drop, sometimes to zero. To recover you fix the issue and submit a reconsideration request. Three to six months is a normal recovery window.

The most common manual actions in 2026:

  1. Unnatural links to your site. The link profile looks bought or manipulated. Cleanup involves either getting the links removed or using the disavow tool.
  2. Unnatural outbound links. The site is linking out to spammy destinations or selling follow links. Add rel=sponsored or remove the offending links.
  3. Thin content with little or no added value. Pages exist purely to chase keywords, no real value to a reader. Rewrite or remove.
  4. Cloaking and sneaky redirects. The page shown to Googlebot is not what the user sees. Fix the cloak, request reconsideration.
  5. Spammy structured data. Schema marking up content that does not exist or attributes that are misleading. Remove the offending schema.
  6. User-generated spam. Forum or comment sections being abused to publish spam links. Add moderation, disavow, request reconsideration.

For the parent context on how SEO is meant to work properly, the pillar at what is SEO sets the boundaries this article is policing.

Common mistakes that drift into grey or black

Stay safe
  • Earn links by being useful. Studies, expert commentary, real partnerships, broken-link fixes, original Australian data.
  • Publish content because you have something to say, not because the keyword volume looks juicy.
  • Disclose paid relationships. rel=sponsored on paid placements. Affiliate disclosures up top.
  • Ask real customers for reviews. Send them the Google review link. No incentives.
  • Use AI as a research and drafting assistant, with named human authors editing and adding original insight.
Don't drift
  • Buy backlink packages. The seller is always selling the same network to dozens of clients. Network gets killed; everyone drops together.
  • Spin up 30 "City + Service" pages using a template and a suburb name swap. Always classed as scaled doorway content.
  • Publish AI content under fake author names. Easily detected, hits authority signals hard.
  • Add FAQ schema to a page where the questions are not actually visible to a reader.
  • Set up review automation that texts every customer five times until they leave 5 stars.

Tools to check whether you have been hit

If your traffic dropped and you do not know why, these are the diagnostic steps.

  1. Search Console → Security & Manual Actions → Manual Actions. If a human reviewer has applied a penalty, the notification lives here. If this page says "no issues detected", your problem is algorithmic.
  2. Search Console → Performance. Plot clicks against the dates of known Google updates (search "Google core update history" for the calendar). Drops aligned with an update date are algorithmic.
  3. Ahrefs or SEMrush backlink audit. Check the link profile. Lots of low-quality, off-topic, foreign-language links pointing at you can either be negative SEO or your own historical mistakes.
  4. Sistrix or Semrush visibility score. Compare your visibility curve against your top 3 competitors. If they dropped on the same date, it is a category-wide update, not just you.
  5. Helpful Content audit. Walk through Google's own "is your content helpful" questionnaire (published as part of the guidelines). Honest answers tell you whether the algorithm has reason to suppress you.

For a fast diagnostic across all of these, our free SEO audit tool runs the technical and link checks in one report. For a human review of whether your existing site is at risk, the website audit service includes a manual link-profile review and content-quality assessment.

Perth and WA context

Specific patterns we see in Australia and Perth:

  • Tradies and PBN links. Cheap link-building packages still get sold to Australian tradies through Facebook ads and cold LinkedIn outreach. The selling agency is almost never in Australia. Many Perth electrical and plumbing sites we audit have a tail of toxic links from previous engagements. Trades SEO done properly does not need any of this.
  • Multi-suburb landing page farms. Especially in the trades and home services categories. 50 pages targeting "electrician + every Perth suburb" with the only differentiator being the suburb name. Classed as doorway content. Better approach: real depth on 5-8 service areas, each with genuine local context. Compare our Fremantle and Joondalup pages, which differ deliberately, against the template farms most agencies push.
  • Mining and B2B link buying. Industry-trade publications in mining and engineering sometimes offer "advertorial packages" that are functionally paid follow links without disclosure. Decline unless they will mark them rel=sponsored. Mining SEO sets out the legitimate alternatives.
  • Review automation gone wrong. A wave of Perth dental, beauty and physiotherapy clinics got flagged in 2024 for over-aggressive review automation. The Google Business Profile penalty is brutal: reviews wiped, listing suppressed in the local pack. Healthcare-adjacent businesses are especially exposed. Healthcare SEO covers the safe playbook.
  • AI content in regulated industries. Legal, financial planning, mortgage broking. Generating advice content with AI and publishing under partner names risks both an SEO penalty and a real regulatory problem. The latter is more painful than the former. See legal SEO.

If you suspect your current agency is operating in grey, the cheapest insurance is an outside audit. For the broader myths floating around about what SEO tactics actually work in 2026, the next read is SEO myths that won't die.

Frequently asked

What is the difference between white hat and black hat SEO?
White hat SEO is the work that follows Google's published guidelines: real content, real links earned through real outreach, technical fixes for human readers. Black hat SEO breaks the guidelines deliberately: hidden text, link networks, cloaking, content spinning, exact-match doorway pages. Grey hat is the middle ground where the tactic is technically against the rules but rarely enforced.
Is black hat SEO illegal?
Not illegal in most countries. It is against Google's terms of service, and Google's penalty for getting caught is removing your site from the results. That penalty can wipe a business overnight, which is why the risk is rarely worth taking for a real Australian business.
Can my site get penalised for grey hat tactics?
Yes, when Google's algorithm updates close the loopholes. The PBN crackdown of 2014, the link-exchange penalties in 2019, and the Helpful Content updates from 2022 onwards all wiped out grey-hat tactics that had worked for years. The risk profile of grey hat is not how it works today, it is what happens at the next update.
How do I know if my SEO agency is white hat?
Ask them three questions: where do their links come from, will they show you the actual outreach process, and how do they handle a Helpful Content update on a client site. A white-hat agency answers all three openly. A grey-hat agency dodges one. A black-hat agency dodges all three.
What are the most common SEO penalties in 2026?
Algorithmic suppression from Helpful Content updates is by far the most common, hitting thin AI-generated content and scaled doorway pages. Manual actions for unnatural links still happen but are rarer. Spam-policy actions for sneaky redirects, cloaking and hidden text round out the top three.
Can I recover from a Google penalty?
From a manual action, usually yes if you clean up the cause and submit a reconsideration request. Expect three to six months. From an algorithmic suppression, also yes but slower. Rebuild the content quality and the affected pages can return at the next update cycle. The fix is always upstream of the tactic that caused the drop.
What is SEO?

SEO myths that won't die
What is SEO?

What does an SEO actually do
What is SEO?

How long does SEO take to work
What is SEO?

Crawling, indexing and ranking explained
Pillar

Off-Page SEO pillar
What is SEO?

SEO vs SEM vs Paid Search
See how your site stacks up

Get a free SEO audit of your site.

30 seconds. Real Lighthouse scores, real keyword data, real backlink profile, AI-generated quick wins. Free, no sales pitch.

Get a Free SEO Audit

Or call 0435 462 205